Effective date: June 11, 2026 · Last updated: June 11, 2026
This Privacy Policy explains how TC Fusion LLC ("TC Fusion," "we," "us," or "our") collects, uses, shares, and protects personal data when you use the Roost mobile application and related services (together, the "Service"). It also describes your rights under the EU and UK General Data Protection Regulation ("GDPR") and other applicable laws.
TC Fusion LLC is the controller responsible for your personal data under the GDPR.
EU / UK representative. Where required under Article 27 of the EU GDPR and UK GDPR, we will appoint a representative in the EU and the UK and list their contact details here. Until then, EU and UK users may contact us at the email above for any matter relating to their personal data.
This policy applies to the Roost mobile app and the services it connects to. It does not cover third-party services that have their own privacy policies (such as Apple, Google, or your device's operating system), or the TC Fusion company website, which is covered by a separate website privacy policy.
We collect the following categories of personal data, mostly directly from you or generated as you use the Service:
Sleep and health information is "special category" data under Article 9 of the GDPR and deserves the strongest protection. Roost is built around a two-layer model:
The detailed, sample-level recordings Roost reads from Apple Health (HealthKit) or Android Health Connect — minute-by-minute sleep stages, heart-rate series, and similar raw streams — are read on your device, used for on-device calculations, and never transmitted to our servers. We also never place this data in iCloud. To grant Roost read access to this data, you approve it through your operating system's own health-permission screen, which you can revoke at any time in your device settings.
From the raw data, your device computes gameplay results — quality bands, Sleep Points, ranks, streaks, and your hidden baseline. The results (not the underlying samples) are stored on our servers so your progress survives a lost or replaced phone and powers your roost. Because a long-running record of sleep quality can itself reveal information about your health, we treat this entire server-side sleep layer as Article 9 health data and protect it accordingly.
Separately and optionally, you can opt in to summary sync. When enabled, about a dozen numeric figures per night (bedtime, wake time, duration, latency, efficiency, time awake, REM/deep percentages, heart-rate dip) are backed up to our servers so your detailed history can be restored on a new device. This is:
| Purpose | Data used |
|---|---|
| Create and secure your account; sign you in | Account identifier, email, account ID |
| Provide core features — compute ranks, Sleep Points, streaks, quests; sync your progress across devices | Derived metrics, profile, sleep summaries (if opted in) |
| Power social features — your roost, leaderboards, kudos | Display name, avatar, rank/SP, roost membership |
| Send reminders and roost notifications (never during your sleep window) | Push token, time zone |
| Process subscriptions and manage Premium access | Subscription status from our payments processor |
| Keep the Service secure and prevent cheating in the ranking system | Derived gameplay metrics, technical identifiers |
| Understand and improve the product | Behavioral analytics events (no sleep values) |
| Diagnose crashes and errors to keep the app stable | Crash/error reports (no sleep data, no personal identifiers) |
| Respond to your support requests | Your message and contact details |
| Comply with legal obligations and keep consent records | Consent log, billing records |
We do not sell your personal data, and we do not use it for third-party advertising. We share data only with service providers ("sub-processors") who process it on our behalf under contract, and only as needed to run the Service:
| Provider | Purpose | Data | Location |
|---|---|---|---|
| Supabase | Backend database, authentication, file storage, notifications backend | Account, profile, progress, sleep summaries (if opted in), push tokens, avatars, consent log | EU (Frankfurt, Germany) |
| Apple | Sign in with Apple; App Store billing | Account identifier, email, subscription | United States / global |
| Google sign-in; Google Play billing | Account identifier, email, subscription | United States / global | |
| Expo | Delivery of push notifications | Push token, platform | United States |
| RevenueCat | Subscription management | Your account ID, subscription events | United States |
| PostHog | Privacy-protective product analytics | Account ID + behavioral events only (never sleep values) | EU |
| Sentry | Crash & error diagnostics | Error/crash reports — no sleep data, no personal identifiers | United States |
We may also disclose data if required by law, to enforce our terms, or to protect the rights, safety, and security of our users or the public. If TC Fusion is involved in a merger, acquisition, or asset sale, personal data may be transferred, and we will notify you and honor the commitments in this policy.
Roost is social by design, but tightly scoped. Other members of your roost can see your display name, profile photo, current rank and Sleep Points, and time-related context needed for the weekly race. They cannot see your email, your raw or numeric sleep data, your baseline, or your individual night details. Profile photos are stored so they can be displayed in the app; treat your display name and photo as information visible to people you share a roost with.
Your core account and sleep data is stored in the European Union. Some sub-processors listed above are based in the United States. Where personal data of EU/UK users is transferred outside the EEA or UK, we rely on appropriate safeguards under the GDPR — such as the European Commission's Standard Contractual Clauses (and the UK Addendum), or an adequacy decision where one applies. You can request a copy of the relevant safeguards by contacting us.
Subject to applicable law, you have the right to:
To exercise any right, email privacy@tcfusion.dev. We respond within the timeframes required by law (generally within one month under the GDPR). We will not charge a fee or discriminate against you for exercising your rights. We may need to verify your identity before acting on a request.
Roost is intended for users aged 16 and older. It is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child under 16 has provided us personal data, contact us and we will delete it.
We use industry-standard measures to protect your data, including encryption in transit and at rest, strict database access controls that limit your data to you (and, for the narrow social fields above, your roost), an architecture that keeps raw health data off our servers entirely, and analytics and crash-reporting pipelines designed so sleep values are never sent to third parties. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security.
Roost computes ranks, Sleep Points, and quest progress automatically. These power the game and do not produce legal or similarly significant effects about you, and we do not use your data for automated decisions of that kind, nor for profiling for advertising.
We may update this policy as the Service evolves. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you in the app. Continued use of the Service after an update means you accept the revised policy.
Questions, requests, or concerns? Email privacy@tcfusion.dev or write to TC Fusion LLC, 5678 Davis Ford Rd, Manassas, VA 20112, USA.
If you are in the EU or UK and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection authority. In the EU, you can find yours via the European Data Protection Board; in the UK, the Information Commissioner's Office (ICO). We would, however, appreciate the chance to address your concern first.